Feedback

Summary. On april the 12 the document with the judgement was finally released. The document shows the motivation behind the conviction of the three Google’s executives in Italy and provides more insight in the case and on the rules of law the conviction was based on. I’ve been talking extensively about the trial, the indictment and the verdict when the latter was made public in a post available here (further references and story behind the beginning of the trial can be found in the post). Back then the only public news were the legal basis of the indictment and the verdict but not yet the reasons that led to the conviction. Since now this is public I’ll be discussing the content of the judgment and what are the relevant consequences left after the trial for Internet service providers in Italy. This post is based on the column I wrote for Apogeonline (a Google Translation is available with a copy and paste of the text) and on the conversations I had with Peter Kaptein, whom I thank very much for stimulating me to write this post. The translation of some sentences from the judgment are not official but mine so it might be not accurate. The views expressed in this post, also, are my own personal.

.

.

.

Italy’s position on providers and user generated content in the Google trial

The good thing that comes out of the trial is that in Italy – according to the judgement:

The provider has no obligation to monitor user-generated content;

The provider does not have to ensure that users fulfilled the obligations attributed to them by the rules on privacy when they spread content on the web that also includes information about or from third parties.

A different ruling could have put Italy in a possible divergence from the European Union legal set of rules about ISP liability and put the country under serious accusations of censorship. Luckly the ruling respects the ISP safe harbour rules and, indirectly, acknowledges that the safe harbour applies even in data protection related cases.

According to the judgment there is no obligation for Google to control content nor to gather consent from people portrayed in users` content. But if this is the case, why were the three executives sentenced to 6 months of imprisonment?

We can read that directly from the judge’s decision: “There is not, therefore, a requirement for prior review of data entered into the system but it’s mandatory that those [read “Google” in this case] who receive personal data from third parties should give correct and timely notice. This is required not only by law (Section 13 Data Protection Code), but also by common sense”

There is more regarding Section 13. According to the Milan court the three Google executives were held accountable for not fulfilling “the due notice obligations under Section 13 of the Privacy Code”. These obligations, according to the judgment, should include the responsibility of a party like Google to make explicitly clear to users what their responsibilities are regarding privacy and privacy protection.

By this interpretation, then, Google should tell its users: ” Do not upload other people’s data without gaining their prior consent”. As Google is not telling their users this clearly enough (according to the ruling), Google is in a way encouraging the users to upload content that might harm the privacy or reputation of other people.

The judgement seems to assume that Google is fully aware of that situation and abuses that situation to make profit of its users. The basis of the conviction, then, according to the judgment, comes from the combination of section 167 and section 13 (even if section 13 is not mentioned by section 167, as we’ll see).

Under the section 13, any company who collects data must provide its users a privacy notice that explains what information must be collected about the user, how the information will be processed, with whom the information will be shared and the purpose of the personal data collecting in order for the service to function.

The privacy notice must also inform the user of his rights of having his data erased or updated and that at any time he can ask the company if it is actually processing any data that belongs to him. For this reason, any company must provide an address where users can send their requests.

Did Google Video break Section 13?

According to the Italian judge the answer is yes.

The ruling, however, does not say which requirements of Section 13 were not met by Google. And reading deeper in the ruling, more confusion arises about the basis that led to the sentence of 6 months for the Google executives.

The basis of the conviction

The basis of the conviction is this:

The three Google executives did not fulfill the due notice obligations under Section 13 of the Italian Privacy Code.

The three executives processed the Personal Data (containing the images of a student with a disability being beaten up) ‘in order to profit ‘.

This “profit” was made by the presence of Google Ads in the Google Video content.

Making profit based on relative harm of to the person involved is in violation of section 167 of the Italian data protection code, which states the violation may occur by breaking the rules stated in section 23, 17 or 26 of the Code (see analysis of section 167 here).

So, the conviction is based on the combination of two sections and the relationship between the two comes, according to the ruling, from a matter of fact

The confusing part of the ruling

It’s very unclear why Section 13 is used as the basis for the conviction since this section is not even stated in the indictment (see charge B, which is the one about the privacy laws breach).

Reading the ruling, it becomes clear that Section 167 of the Data protection Code is the key rule that led the judge to the sentencing of the three executives. Section 167 is stated in the indictment as the second charge against the Google`s executives.

Section13 is not mentioned in Section167 but inSection 161 of the Code regarding protection of personal data. Neither 161 nor 13 are part of the original charge against Google. 167 is.

Section 161 (Providing No or Inadequate Information to Data Subjects) states that “Breach of the provisions referred to in Section 13 shall be punished by a fine consisting in payment of between six thousand and thirty-six thousand Euro.”

When usingSection167 the crime Google Video committed consists of three parts:

The breach of the mentioned Sections (in Section 167)

The gain from the behavior

Damage caused to the owner of the data

According to the judgement, the users should give the preliminary notice required by Section 13. Consequently Section 167 is blown off the table as none of the behavior of Section 167 is – as a result of this logic – committed by Google or their executives.

the ruling was right in stating that the adequate protection of privacy in cases like these cannot be found in content control;

he disagrees with the interpretation of section 13;

Section 13 is about the notice the Internet Service Provider must give to its users regarding its services and about the way the ISP processes the data of its users only;

the need to remind users that they should gather prior consent from other people if they appear in videos (or images) is not stated in section 13 nor in any other section;

since this is a criminal trial it should be the law to tell what is illegal or what the consequences related to a specific behaviour or omission are before the behaviour or the omission is committed, not the judge after the commission.

It is very likely that the affair is not finished and this ruling will probably be overturned on appeal. It did, anyway, dismiss the worst case scenario feared worldwide from the beginning of this trial making it clear once again that: the internet service provider does not have to monitor or control the content generated by its users and that it does not have to ensure that users fulfilled the obligations attributed to them by the rules on privacy when they spread content on the web that also includes information about or from third parties.

Summary. The following post will cover what happened in the Google executives’ trial in Itay from a legal point of view .

It explains which criminal sections were in the indictment, how they work, how the Electronic Commerce directive exempion works in Italy and why the electronic Commerce Directive did not apply in that particular case. We still do not have the complete ruling (only the verdict).

My best guess is this: Google made a possible mistake to not go for a formal consulting with the Italian Privacy Authority following the rule of sect. 17, before launching the service. It would have provided them with advice on how to deal with possible situations like this one, where users committed a crime (failing to comply with Data Protection code) using their service.

But even this is not a solution in my opinion, as it would require a service like Google Video or YouTube to ask each country for their specific rulings and exceptions, leading to a very complex legal situation.

Preface. Yesterday I interviewed one of the lawyers who defended the employees from Google in the Italian trial: Giuseppe Vaciago (available here in Italian and here with a Google translation).

I have been writing twice about the trial in my columns for Apogeonline: one written back in 2006, when everything started, and the other written hours after the news of the Google executives` conviction spread.

The post is a summary of the interview and both of my articles and of a conversation I had via Skype with Peter Kaptein while I was trying to explain him what was happening here but this post expresses my personal view only.

Everything happened in 2006 and I remember fairly well the frantic hours in the early days of November where a non stopping word of mouth was spreading amongst Italian blogs. A video depicting some students from a high school in Turin bullying and insulting a disabled guy had been found on Google Video. One of the students, a girl, was filming everything with her mobile phone and then uploaded the video. The video itself lived on its life in the internet magma from the beginning of September until the first days of November 2006 collecting lots of views meanwhile. This until someone reported its presence to a blog where it appeared a post about the video pointing out the shameful behavior of the students. A few days later we knew that a no profit organization filed a criminal suit in Milan for defamation (and in Turin other criminal suits followed against the students). Google itself took down the video after a formal request by the prosecutors and gave all the information they requested. Nevertheless within days the headlines of newspapers and all the media were announcing that Google Italy was prosecuted in Italy for defamation under the circumstance that the executives could be deemed accomplices to the students.

This was the beginning of the whole story that lead to the trial all the press is talking about worldwide and that has seen three Google`s executives convicted in Italy, even if the whole trial is still far from an ending. Many things have been said so far. As for now, anyway, no one knows what the judge stated in his decision since it has still to be made available to the public. I`d like to give my take trying to explain what we know now about the verdict and to give an overview about the laws stated in the indictment.

So the first hard question to give an answer to is if it`s possible, according to Italian law provisions, to deem the executives of a content provider liable for a crime committed by their users.

The case law decided on the 24 of February gives two different answers to this question, both very interesting and possibly scary at the same time.

During the trial, in fact, Google`s executives have been indicted with two charges: defamation and illicit processing of personal data.

The judge has acquitted all of the Google employees for the charge of defamation which means that the Italian court itself acknowledged that internet content providers have no obligation to control the content their users upload on their servers. The acquittal verdict was, in fact, “not guilty”. This opinion is shared by one of the Google`s executives lawyers, Giuseppe Vaciago who thinks that the acquittal from the charge of defamation can exclude an obligation for providers to control their users` content.

As for the second charge, instead, we have a completely different scenario. As for now, as Vaciago himself stated, we only know that actually the charges for the failure to comply with the privacy regulations were two, but we do not know yet for which of the two (or if for both) the Google executives were found guilty.

I think it`s important to give a quick look on the sections of the Italian Privacy Code that – according to the indictment – were violated in order to clarify the issues at stake.

Section 167 of the Italian data protection code states as follows:

“(Unlawful Data Processing)

1. Any person who, with a view to gain for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 18, 19, 23, 123, 126 and 130 or else of the provision made further to Section 129 shall be punished, if harm is caused, by imprisonment for between six and eighteen months or, if the offence consists in data communication or dissemination, by imprisonment for between six and twenty-four months, unless the offence is more serious.

2. Any person who, with a view to gain for himself or another or with intent to cause harm to another, processes personal data in breach of Sections 17, 20, 21, 22(8) and (11), 25, 26, 27, and 45 shall be punished by imprisonment for between one and three years if harm is caused, unless the offence is more serious”.

The bold is mine and underlines the infringements stated in the indictment.

As for the section 23 recalled in the first sentence, it means that any organization can lawfully process people`s personal data only after collecting their prior consent.

The section 26 recalled in the second sentence, instead, regards “sensitive data”. In this situation the consent needs to be formal and signed. Anyways section 26 states also that no sensitive data disclosing health may be disseminated (i.e. shared on the web), not even if there is a written consent. This means that uploading a video where a disable person appears is forbidden.

Section 167 applies if the failure to comply with the above rules causes a damage to the person whose data are processed and if there`s a gain (which for the public prosecutors could be found in the AdSense ads that appear in Google Video).

Section 17, instead, states that before processing data that may carry specific risks it is mandatory to have a prior formal consulting with the Italian Privacy Authority in order to find a lawful way to comply with the rules and still maintain the service offered while preserving data subjects’ fundamental rights and freedoms and dignity.

So the sections relevant for section 167 are three (23, 26, 17) and all of them bring different rules and obligations. If the judge`s decision will state the failure of the prior consent or the unlawful dissemination of the disabled student`s data both the executives and the students should be deemed guilty. It is actually forbidden, in fact, for natural persons, to disseminate other people`s data without the prior consent. This means that before uploading a picture of Facebook where other people appear, or a video for instance, the consent becomes mandatory.

If the decision will state, instead, the violation of the rule of section 17 the unlawful behavior is by the executives of Google Italy alone.

We`ll be able to understand if the verdict was given because or the lack of prior consent, the unlawful processing of health related data or the omission of the prior consulting with the Privacy Authority (or all of the above) only after we`ll be able to read the sentence.

What we can reasonably hold for sure now is that Italian verdict was not based on the Electronic commerce directive, whose rules are in force and still apply and still are held as a basic safe harbor for internet providers here as in all EU member states.

I would also point that the said directive does not apply to privacy regulations (see section 1, point 5 b).

So, even if the electronic commerce directive provides a safe harbor for providers, it is not going to apply for privacy regulations for the whole European Union member states, not only in Italy.

But what could the basis of the conviction be then? Given that there is no safe harbor for privacy rules but still providers have in general no obligation to control users` generated content how should a provider behave to comply with Italian laws? Control or nor control? Both things have disgraceful effects. Control brings to censorship, the lack of control brings to responsibility (at least, for sure, under the privacy provisions).

My personal opinion is to follow a precautionary rule.

The first and obvious answer, in fact, is that a provider who is aware that through its services users might commit crimes regarding personal data should seek for a prior formal consulting with the Italian Privacy Authority following the rule of sect. 17.

The second one could be to force the users to formally accept and understand by the terms of service that they cannot share other people`s data. It is normal, in fact, that the responsibility of having the mandatory permissions to process other people`s data should lie on the user and not on the provider. Also because the latter has no concrete means to control that every single content is lawful. And to force the provider to control that every of its users have all the rights means also to take the responsibility related to such control, which is unrealistic and, for this reason, unlawful itself.

Awareness of what you are doing when you are lifestreaming yourself and your friends on the web, anyway, is a goal towards we all should strive to.

For sure this trial is going to be a landmark in Italy as it shows that the rules in force are still far from finding a balance between the freedom of expression in general and the protection of personal data in particular. And even following the precautionary rule would be a strong limitation not only for Google but for every internet service in general because that would mean that a local government should give its prior consent before the service can be rolled out in that country. This goes against the basic principle of the web as it has become to be: that all data and services are available world wide. In the worst case each country would be like a walled garden where each service, and so the users’content that it carries and delivers, should ask permission to enter.

Dai termini d’uso del servizio leggo, infatti, che le parti possono essere usate solo e unicamente per realizzare i remix caricati (“the Entrant will not use any other elements or parts of the Song (“Stems”) otherwise than to create Remixes of the Song for entry into radioheadremix.com“) e che l’autore dei remix non può vantare diritti in merito alle canzoni remixate (” the Entrant will not acquire a copyright interest in the Song by virtue of creating Remixes of the Song“) e che i Radiohead e la casa discografica saranno i soli titolari dei diritti morali anche per i remix (“Thom Yorke, Jonny Greenwood, Colin Greenwood, Ed O’Brien and Phil Selway will be registered and credited as the sole writers and WCM the publishers of the Remixes of the Song created by the Entrant“) e che l’autore dei remix non sfrutterà o lascerà che altri sfruttino i remix creati senza ricevere il reventivo consenso scritto della Warner/Chappell Music Ltd e di _Xurbia _Xendless Ltd (“the Entrant will not exploit, or allow others to exploit, the Remixes of the Song created by the Entrant without seeking the prior approval of WCM and Xurbia“).